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DEVICE AND METHOD FOR MAKING 
AN INTEGRATED CIRCUIT SECURE 



Art Unit : 
Examiner : 

PRELIMINARY AMENDMENT 
BOX PCT 

Asst. Commissioner for Patents 
Washington, D.C. 20231 

SIR: 

Please amend the above-identified application as follows: 

IN THE SPECIFICATION 

Please insert the following as the first sentence of the 
above-identified application: 

— This application is a U.S. National Phase Application 
under 35 USC 371 of International Application PCT/FR99/02639 (not 
published in English) filed 28 October 1999. — 



Page 1, before the paragraph starting on line 2, insert the 
following heading: 

—FIELD OF THE INVENTION— 



Between lines 7 and 8, insert the heading 
—BACKGROUND OF THE INVENTION—. 

Page 2, between lines 10 and 11, insert the heading 

— SUMMARY OF THE INVENTION—. 

Page 3, between lines 10 and 11, insert the heading 
—BRIEF DESCRIPTION OF THE DRAWINGS—. 

Page 3, between lines 27 and 28, insert the heading 

— DETAILED DESCRIPTION OF THE DRAWINGS—. 

IN THE CT.ATM.q 

Change the heading to — I CLAIM — . 



Please amend claims 1-8 as follows (see attachment for 
details of changes) : 

1. (Amended) An integrated circuit device containing a 
memory area that comprises, on the one hand, a data memory and a 
program memory, and on the other hand, a program having N code 
blocks, N being an integer greater than 1, characterized in that 



said memory area has M replicas / M being an integer greater than 
1, of X program code blocks, x being an integer comprised between 
1 and wherein said replicas reside at different addresses 
within said memory area^ and in that said device comprises 
selection means for randomly selecting one replica of at least 
one of the x blocks as a block replica to be used when executing 
said program. 

2. (Amended) A device according to claim 1, characterized 
in that the sums of bit values of at least two addresses among 
the set of addresses of one replicated block and its M replicas 
are different. 

3. (Amended) A device according to claim 1, characterized 
in that, among the set of addresses of one replicated block and 
its M replicas, one address resides within the program memory and 
another address resides within the data memory. 

4. (Amended) A device according to claim 1, characterized 
in that it comprises controller means for randomly scheduling 
block execution. 

5. (Amended) A method for making secure an integrated 
circuit device containing a memory area, which comprises, on the 
one hand, a data memory and a program memory, and on the other 
hand, a program having N code blocks, N being an integer greater 



than 1, characterized in that said method comprises the steps of: 

- generating, within said memory area, M replicas, M being 
an integer greater than 1, of x program code blocks, x being an 
integer comprised between 1 and N, wherein said replicas reside 
at different addresses within said memory area, and 

- randomly selecting one replica of at least one of the x 
blocks as a block replica to be used when executing said program, 

6. (Amended) A method according to claim 5, characterized 
in that said method comprises the additional step of selecting 
the sums of bit values of at least two addresses among the set of 
addresses of one replicated block and its M replicas in such a 
way that they are different, 

7. (Amended) A method according to claim 5, characterized 
in that, among the set of addresses of a replicated block and its 
M replicas, an address is selected within the program memory and 
another address is selected within the data memory. 

8. A method according to claim 5, characterized in that said 
method comprises the additional step of randomly scheduling block 
execution. 
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DEVICE AND METHOD FOR MAKING AN INTEGRATED CIRCUIT SECURE 

This application is a U.S. National Phase Application 
under 35 USC 371 of International Application 
PCT/FR99/02639 (not published in English) filed 28 October 
1999 . 

FIELD OF THE INVENTION 

The present invention relates to an integrated circuit 
device containing a memory area, which comprises, on the 
one hand, a data memory and a program memory, and on the 
other hand, a program having n code blocks Bi (i = 1, 
N) . It further relates to a method for making such a device 
secure . 

BACKGROUND OF THE INVENTION 

Integrated circuit devices of this kind are most often 
used in applications where confidential information storing 
and processing security is essential. These can for example 
be electronic component-carrying cards for applications 
relating to the fields of health, mobile telephony, or also 
banking applications. 

Such cards comprise an integrated circuit which 
conventionally includes a controller for (for example a 
central processing unit or CPU) managing and distributing, 
through bus lines, data or address information that is 
stored within the memory area of said cards. This 
integrated circuit having bus lines consumes electrical 
power, in particular when these bus lines are used to carry 
logical 1 information. 

Also, the intensity of the electrical current used by 
an electronic component-carrying card varies with time, in 
particular because of the different values of data or 
addresses transiting over said bus lines in the card. The 
current change as a function of time is an electrical 
signature of the card's activity and therefore, analyzing 
said signature is indicative of said activity. Thereby, by 
means of an analysis of the electrical signature, forgers, 
for example, can easily follow a succession of operations 



contained in the different code blocks of the program of 
said card and therefore, can access the confidential 
information contained in this card. 

In order to make the analysis of the electrical 
signature more complex to forgers, the state of the art 
suggests providing auxiliary devices for generating 
spurious signals that are added to the electrical signature 
of said electronic component-carrying card's activity. 
Although they make the electrical signature analysis more 
delicate, such auxiliary devices are slow because they 
monopolize some of the card's resources, which resources 
are already used for executing other operations specific to 
the card and consume more current because they include 
electronic components that require electrical power for 
their operation. 
SUMMARY OF THE INVENTION 

Thus, one technical problem to be solved by the present 
invention is that of providing an integrated circuit device 
containing a memory area that comprises, on the one hand, 
a data memory and a program memory, and on the other hand, 
a program having N code blocks Bi (i=l, ... , N) , as well 
as a method for making such a device secure, for obtaining 
an electrical signature in such a way that said signature 
is difficult to analyze and which further requires little 
power and time consumption, for example due to auxiliary 
devices appropriating the device's own resources. 

According to a first object of the present invention, 
a solution to the technical problem posed is characterized 
in that said memory area of said integrated circuit device 
comprises M replicas Cj (j = 1, . . . , M) having x program 
code blocks Bi (x = 1, ,., N) , said replicas residing at 
different addresses within said memory area, and in that 
said device comprises selection means for randomly 
selecting a replica Cj of at least one of the x blocks Bi, 
as a block replica to be used when executing said program. 

According to a second object of the present invention, 
this solution is characterized in that the securing method 
comprises the steps of: 



- creating, within said memory area, M replicas Cj 
(j = 1, . , . , M) of X program code blocks Bi (x = 1, 

N) f wherein said replicas reside at different addresses 
within said memory area, and 

- randomly selecting one replica Cj of at least one of 
the X blocks Bi, as a block replica to be used when 
executing said program. 

Therefore, as explained in detail below, the device 
according to the invention prevents forgery by making the 
analysis of the electrical signatures very difficult to 
analyze by such forgery, taking advantage of the fact that 
said electrical signature varies, in particular, as a 
function of the values transiting over said device bus 
lines . 

BRIEF DESCRIPTION OF THE DRAWINGS 

Other features and advantages of the invention will 
become apparent from the following description of preferred 
embodiments of the present invention, provided by way of 
non-limiting examples, in reference to the appended 
Figures, in which: 

Fig. 1 illustrates an integrated circuit device, such 
as, for example, an electronic component-carrying card. 

Fig. 2 illustrates a memory area in the card of Fig. 1, 

Fig. 3 illustrates bus lines in the card of Fig. 1. 

Fig. 4 illustrates the memory area of Fig. 2 restricted 
to code block Bi. 

Fig. 5 illustrates addressing of a code block and its 
replicas within the card of Fig. 1. 

Fig. G illustrates a distribution of a code block and 
its replicas within a memory area of Fig. 2. 

Fig, 7 illustrates another distribution of a code block 
and its replicas within the memory area of Fig. 2. 
DETAILED DESCRIPTION OF THE INVENTION 

Fig. 1 shows an integrated circuit device 10, for 
example an electronic component-carrying card. 

Card 10 includes a controller (for example a central 
processing unit or CPU) , a memory area 12 including a data 
memory 14 and a program memory 15, and a terminal block 13 



AMENDED CLAIMS SHOWING CHANGES MADE TO CLAIMS 
(U.S. Natl. Phase of Appln 
No. PCT/FR98/02639) . 

[ CLAIMS 1 I CLAIM 

1. (Amended) An integrated circuit device containing a 
memory area that comprises, on the one hand;, a data memory and a 
program memory, and on the other hand, a program having N code 
blocks , N being an integer greater than 1 [Bi (i 1, . . . , N) ] , 
characterized in that said memory area has M replicas [Cj (j = 1, 

M) 1 , M being an integer greater than 1, of x program code 
blocks [Bi (x = 1, N) 1 , x being an integer comprised between 

1 and N , wherein said replicas reside at different addresses 
within said memory area, and in that said device comprises 
selection means for randomly selecting one replica [Cj] of at 
least one of the x blocks [Bi], as a block replica to be used 
when executing said program. 

2. A device according to claim 1, characterized in 
that the sums of bit values of at least two addresses among the 
set of addresses of one replicated block [Bi] and its M replicas 
[Cj] are different. 

3. (Amended) A device according to [any preceding claim] 
claim 1 . characterized in that, among the set of addresses of one 
replicated block [Bi] and its M replicas, one address resides 
within the program memory and another address resides within the 
data memory. 

4. (Amended) A device according to [any preceding claim] 
claim 1 . characterized in that it comprises controller means for 
randomly scheduling block execution. 



5. (Amended) A method for making secure an integrated 
circuit device containing a memory area, which comprises, on the 
one hand, a data memory and a program memory, and on the other 
hand;r a program having N code blocks r N being an integer greater 
than 1 [Bi (i = 1, . • . / N) ] , characterized in that said method 
comprises the steps of: 

- generating, within said memory area, M replicas [Cj (j = 
1, M) 1 , M being an integer greater than 1, of x program code 
blocks [Bi (x = 1, N) 1 , x being an integer comprised between 
1 and N . wherein said replicas reside at different addresses 
within said memory area, and 

- randomly selecting one replica [Cj] of at least one of 
the x blocks [Bi] , as a block replica to be used when executing 
said program. 

6. (Amended) A method according to claim 5, characterized 
in that said method comprises the additional step of selecting 
the sums of bit values of at least two addresses among the set of 
addresses of one replicated block [Bi] and its M replicas [Cj] in 
such a way that they are different. 

7. (Amended) A method according to [claims 5 or 6] claim 5 , 
characterized in that, among the set of addresses of a replicated 
block [Bi] and its M replicas, an address is selected within the 
program memory and another address is selected within the data 
memory. 

8. A method according to [claims 5, 6 or 7] claim 5 , 
characterized in that said method comprises the additional step 
of randomly scheduling block execution. 
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DEVICE AND METHOD FOR MAKING AN INTEGRATED CIRCUIT SECURE 



The present invention relates to an integrated circuit 
device containing a memory area;, which comprises on the 
one hand, a data memory and a program memory, and on the 
other hand, a program having n code blocks Bi (i = 1, .../ 
N) . It further relates to a method for making such a device 
secure . 

Integrated circuit devices of this kind are most often 
used in applications where confidential information storing 
and processing security is essential. These can for example 
be electronic component-carrying cards for applications 
relating to the fields of health, mobile telephony, or also 
banking applications . 

Such cards comprise an integrated circuit which 
conventionally includes a controller for (for example a 
central processing unit or CPU) managing and distributing, 
through bus lines, data or address information that is 
stored within the memory area of said cards. This 
integrated circuit having bus lines consumes electrical 
power, in particular when these bus lines are used to carry 
logical 1 information. 

Also, the intensity of the electrical current used by 
an electronic component-carrying card varies with time, in 
particular because of the different values of data or 
addresses transiting over said bus lines in the card. The 
current change as a function of time is an electrical 
signature of the card's activity and therefore, analyzing 
said signature is indicative of said activity. Thereby, by 
means of an analysis of the electrical signature, forgers, 
for example, can easily follow a succession of operations 
contained in the different code blocks of the program of 
said card and therefore, can access the confidential 
information contained in this card. 

In order to make the analysis of the electrical 
signature more complex to forgers, the state of the art 
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suggests providing auxiliary devices for generating 
spurious signals that are added to the electrical signature 
of said electronic component-carrying card^s activity. 
Although they make the electrical signature analysis more 
5 delicate, such auxiliary devices are slow because they 

monopolize some of the card's resources, which resources 
are already used for executing other operations specific to 
the card and consume more current because they include 
electronic components that require electrical power for 
10 their operation. 

O Thus, one technical problem to be solved by the present 

;5 invention is that of providing an integrated circuit device 

y containing a memory area that comprises, on the one hand, 

a data memory and a program memory, and on the other hand, 
K a program having N code blocks Bi (i=l, ... , N) , as well 

a method for making such a device secure, for obtaining 
'1^, an electrical signature in such a way that said signature 

^ is difficult to analyze and which further requires little 

ill power and time consumption, for example due to auxiliary 

ifi devices appropriating the device's own resources. 

m. According to a first object of the present invention, 

a solution to the technical problem posed is characterized 
in that said memory area of said integrated circuit device 
comprises M replicas Cj (j = 1, M) having x program 

25 code blocks Bi (x = 1, . . , N) , said replicas residing at 

different addresses within said memory area, and in that 
said device comprises selection means for randomly 
selecting a replica Cj of at least one of the x blocks Bi, 
as a block replica to be used when executing said program. 
30 According to a second object of the present invention, 

this solution is characterized in that the securing method 
comprises the steps of: 

- creating, within said memory area, M replicas Cj 
(j =1, M) of X program code blocks Bi (x = 1, 

35 N) , wherein said replicas reside at different addresses 

within said memory area, and 
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- randomly selecting one replica Cj of at least one of 
the X blocks Bi^ as a block replica to be used when 
executing said program. 

Therefore^, as explained in detail below, the device 
5 according to the invention prevents forgery by making the 

analysis of the electrical signatures very difficult to 
analyze by such forgery^, taking advantage of the fact that 
said electrical signature varies, in particular, as a 
function of the values transiting over said device bus 
10 lines - 

P Other features and advantages of the invention will 

'Jf become apparent from the following description of preferred 

I'^'l embodiments of the present invention, provided by way of 

Q non-limiting examples, in reference to the appended 

Figures, in which: 
m Fig. 1 illustrates an integrated circuit device, such 

;s as, for example, an electronic component-carrying card. 

Fig- 2 illustrates a memory area in the card of Fig. 1. 
nj Fig. 3 illustrates bus lines in the card of Fig. 1. 

2® Fig. 4 illustrates the memory area of Fig, 2 restricted 

:r1 to code block Bi . 

Fig. 5 illustrates addressing of a code block and its 
replicas within the card of Fig. 1. 

Fig. 6 illustrates a distribution of a code block and 
25 its replicas within a memory area of Fig. 2. 

Fig. 7 illustrates another distribution of a code block 
and its replicas within the memory area of Fig. 2. 

Fig. 1 shows an integrated circuit device 10, for 
example an electronic component-carrying card. 
30 Card 10 includes a controller (for example a central 

processing unit or CPU) , a memory area 12 including a data 
memory 14 and a program memory 15, and a terminal block 13 
for electrical connection, for example, to a card reader 
connector - 

35 Memory area 12 is shown in Fig. 2. It contains a 

program P including N code blocks Bi (i = 1, N) 
forming code blocks representing steps or operations to be 
performed when executing said program P, which enables 



performing operations such as reading or selecting data 
from card 10 and wherein said blocks Bi handle data and 
address information . 

When executing program P^. information interchanges take 
place between memories 14, 15 and controller 11;. through 
bus lines within said integrated circuit;, which are handled 
by controller 11 in said card 10. The bus lines are either 
lines for transferring address information;, or lines for 
transferring data information. As shown in Fig. 3, data bus 
lines Dl, D2;r D8 and address bus lines Al, A2^ --w 

A16 are connected to each of the data memory 14 and program 
memory 15 within each memory area 12 as well as to 
controller 11 (CPU) . 

In order to scramble the analysis of the electrical 
signature on execution of program P, which execution is a 
sign of card 10 being active, according to the present 
invention, the device comprises M replicas Cj (j = 1, 
M) of one or several blocs Bi within said memory area 12, 
and selection means Ms for randomly selecting one of 
replicas Cj of a block Bi as a block replica to be executed 
when the latter must be executed within said program P. 
When program P is executed, several code blocks Bi will be 
executed. Fig, 4 illustrates an example for a given block 
Bi. For each execution of this block Bi to be executed 
within program P and including replicas Cj within memory 
area 12, selection means Ms randomly selects either block 
Bi or one of its replicas Cj so as to execute it within 
program P. As the various replicas Cj as well as block Bi 
reside at different address values, on each new request for 
executing block Bi within program P, the bus lines do not 
carry the same address values and this makes analyzing the 
electrical signature, which varies according to the values 
transiting over the bus lines in card 10, much more 
difficult. The more replicated blocks Bi this device 
includes, the more difficult the signature will be to 
analyze. This is the reason why the invention provides 
replicas Cj for x blocks Bi (x = 1, . . . , N) . 
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In particular^ the electrical signature varies as a 
function of the values transiting over the address bus 
lines shown in Fig. 3, and more specifically;, whenever 
information 1 is present on a bus line, which information 
5 requires a certain electrical current. However, if address 

values of the above-mentioned replicas Cj and said 
replicated block Bi are equivalent in terms of electrical 
consumption (for example their values 1111100000000000 and 
0000111011000000 induce the same consumption since they 
10 each have the same number of bits equal to one and zero) , 

Q the electrical signature will not change much. Thus, 

addresses are selected in such a way that the sum of bit 
\d values of at least two addresses among the set of addresses 

O of a replicated block Bi and its M replicas Cj are 

is different. In practice, it has been found that, generally 

speaking, a 1-bit difference among these sums was 
sufficient for differentiating the various electrical 
consumption amounts of the address values and therefore 
?U make the analysis of the electrical signature more complex - 

2§ The example illustrated in Fig. 5 shows a block Bi with its 

three replicas CI, C2 and C3 and their respective addresses 
Ab, Acl, Ac2 and Ac3. In this example, it can be seen that 
the bit sums of address values Ab, Acl, and Ac3 are 
different and therefore, that the address values vary in 
25 electrical consumption whereas the bit sums of address 

values Ab and Ac2 are equivalent (with their sum equal to 
seven) and that, as a consequence, their address values are 
equivalent in terms of electrical consumption. 

Just as the electrical signature varies according to 
30 the values transiting over the address bus lines, the 

electrical signature varies according to the values 
transiting over the data bus lines shown in Fig. 3. 

Thus, according to the present invention, among the set 
of addresses within a replicated block Bi and its M 
35 replicas (where block Bi includes operations for managing 

a given number of data) , an address resides within program 
memory 15 and another address resides within data memory 
14, as shown in the examples of Figs. 6 and 7. In this 
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respect, the execution of an operation, for example a read 
or write operation, residing in program memory 15, does not 
consume the same amount of current as when said operation 
resides in data memory 14. Operations of the replicated 
5 block Bi are seen from card controller 11 as data 

information transiting over the data bus lines. 

Therefore, the above-mentioned system, where blocks are 
replicated within different memories, enables scrambling of 
the electrical signature, and it will be understood that 
10 this system, in combination with what has been described so 

O far, makes the electrical signature even more difficult to 

*5 analyze. 

Finally, in addition to a random variation of the 
□ electrical signature due to the different systems provided 

tj- within the device according to the present invention and as 

i'^ disclosed previously, the latter provides a random time 

variation of said signature. More specifically, the present 
invention provides a device comprising controller means for 
m randomly scheduling the execution of blocks Bi . Each block 

2& comprises a set of operations relating to the electronic 

jfj component-carrying card. These operations, when executed, 

invoke functions that are managed by card controller 11. 
For performing these functions, the controller takes time. 
In general, for each set of functions, the time consumed 
25 will be different, which is also the case for each set of 

operations. Thus, when using this controller means for 
random execution of blocks, on each new execution of 
program P, the electrical signature will vary in time since 
the code blocks are not executed in the same order, 
30 whereby, for example, a forger will not be able to 

repeatedly launch the execution of said program P and 
analyze the electrical signature in order to find matches 
between various processing operations and each signal or 
series of signals contained within the electrical 
35 signature. It will be noted that no auxiliary device has 

been added for countering such forgery. 



CIAIMS 

1. An integrated circuit device containing a memory 
area that comprises, on the one hand, a data memory and a 
program memory, and on the other hand, a program having N 
code blocks Bi (i = 1, . , . , N) , characterized in that said 
memory area has M replicas Cj (j = 1, . . . , M) of x program 
code blocks Bi (x = 1, N) , wherein said replicas 
reside at different addresses within said memory area^ and 
in that said device comprises selection means for randomly 
selecting one replica Cj of at least one of the x blocks 
Bi, as a block replica to be used when executing said 
program. 

2. A device according to claim 1, characterized in that 
the sums of bit values of at least two addresses among the 
set of addresses of one replicated block Bi and its M 
replicas Cj are different. 

3. A device according to any preceding claim, 
characterized in that, among the set of addresses of one 
replicated block Bi and its M replicas, one address resides 
within the program memory and another address resides 
within the data memory. 

4 . A device according to any preceding claim, 
characterized in that it comprises controller means for 
randomly scheduling block execution. 

5. A method for making secure an integrated circuit 
device containing a memory area, which comprises, on the 
one hand, a data memory and a program memory, and on the 
other hand, a program having N code blocks Bi (i = 1, . . . , 
N) , characterized in that said method comprises the steps 
of: 



- generating, within said memory area^. M replicas Cj 
(j = 1, .... M) of X program code blocks Bi (x = 1, 
N) f wherein said replicas reside at different addresses 
within said memory area, and 

" randomly selecting one replica Cj of at least one of 
the X blocks Bi, as a block replica to be used when 
executing said program. 

6. A method according to claim 5, characterized in that 
said method comprises the additional step of selecting the 
sums of bit values of at least two addresses among the set 
of addresses of one replicated block Bi and its M replicas 
Cj in such a way that they are different. 

7. A method according to claims 5 or 6, characterized 
in that, among the set of addresses of a replicated block 
Bi and its M replicas, an address is selected within the 
program memory and another address is selected within the 
data memory. 

8. A method according to claims 5, 6 or 7, 
characterized in that said method comprises the additional 
step of randomly scheduling block execution. 
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ABSTRACT 

The present invention relates to an integrated circuit 
device containing a memory area, which comprises, on the 
5 one hand, a data memory and a program memory, and on the 

other hand, a program having N code blocks Bi (i = 1, ...f 
N) . It also relates to a method for making such a device 
secure. The present invention is characterized in that the 
memory area has M replicas Cj (j = Ir . - . ^ M) of x program 
10 code blocks Bi (x = 1, N) , which replicas reside at 

"J different addresses in said memory area, and in that said 

device has selection means for randomly selecting one 
'^ff- replica Cj of at least one of the x blocks Bi, as a block 

'rl replica to be used when executing said program. In 

1^ particular, the present invention can be applied to smart 

cards . 
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